TELECOM Digest OnLine - Sorted: Googling for ATM Master Passwords


Googling for ATM Master Passwords


Monty Solomon (monty@roscom.com)
Fri, 22 Sep 2006 15:01:46 -0400

Googling for ATM Master Passwords

By Ryan Naraine
September 21, 2006

Using clues obtained from a YouTube video and a simple four-word
Google search engine query, a criminal can find step-by-step
instructions for how to hack into and take control of thousands of
ATMs scattered around the United States.

Following up on a CNN report out of Virginia Beach, Va., here as a
YouTube video, that a man reprogrammed an ATM at a gas station to
dispense $20 bills instead of $5 bills, a New York-based security
researcher did some old-fashioned online sleuthing and discovered that
the operator manual for that specific model of ATM could be legally
obtained in about 15 minutes.

Dave Goldsmith, founder and president of penetration testing outfit
Matasano Security, in New York, did not say how he obtained the
operator manual-which contains master passwords and other sensitive
security information about the cash-dispensing machines-but an eWEEK
investigation shows that a simple Google query will return a 102-page
PDF file that provides a road map to the hack.

Goldsmith, a respected researcher who co-founded @Stake and
previously led Symantec's Security Academy, said he traced clues from
the video to identify the make and model of the ATM, a Tranax
Mini-Bank 1500 Series, and started an experiment to see how easy it
would be to legally obtain an operator manual.

In an interview with eWEEK, Goldsmith said he first dug around on
Tranax Technologies' Web site and found a knowledge base article that
mentioned that the ATM is programmed with passwords that can be found
in the operator's manual.

...

http://www.eweek.com/article2/0,1895,2018674,00.asp

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: captainido@gmail.com: "Modem/Fax Keeps Timing Out"
Go to Previous message: San Antonio Express-News: "School Teacher Sues Students Over Bogus MySpace Page"
TELECOM Digest: Home Page